Providing Secure Communication Between Sites Using VPN CloudHub

If you have multiple VPN connections, you can provide secure communication between sites
using the AWS VPN CloudHub. This enables your remote sites to communicate with each other, and
not just with the VPC. The VPN CloudHub operates on a simple hub-and-spoke model that you can
use with or without a VPC. This design is suitable for customers with multiple branch offices
and existing Internet connections who'd like to implement a convenient, potentially low-cost
hub-and-spoke model for primary or backup connectivity between these remote offices.

The following diagram shows the VPN CloudHub architecture, with blue dashed lines indicating
network traffic between remote sites being routed over their VPN connections.

To use the AWS VPN CloudHub, you must create a virtual private gateway with multiple
customer gateways. You can use the same Border Gateway Protocol (BGP) Autonomous System Number
(ASN) for each, or if you prefer, you can use a unique ASN for each. Customer gateways
advertise the appropriate routes (BGP prefixes) over their VPN connections. These routing
advertisements are received and re-advertised to each BGP peer, enabling each site to send
data to and receive data from the other sites. The sites must not have overlapping IP ranges.
Each site can also send and receive data from the VPC as if they were using a standard VPN
connection.

Sites that use AWS Direct Connect connections to the virtual private gateway can also be part of the
AWS VPN CloudHub. For example, your corporate headquarters in New York can have an AWS Direct Connect
connection to the VPC and your branch offices can use VPN connections to the VPC. The branch
offices in Los Angeles and Miami can send and receive data with each other and with your
corporate headquarters, all using the AWS VPN CloudHub.

To configure the AWS VPN CloudHub, you use the AWS Management Console to create multiple customer
gateways, each with the public IP address of the gateway and the ASN. Next, you create a VPN
connection from each customer gateway to a common virtual private gateway. Each VPN connection
must advertise its specific BGP routes. This is done using the network statements in the VPN
configuration files for the VPN connection. The network statements differ slightly depending
on the type of router you use.

When using an AWS VPN CloudHub, you pay typical Amazon VPC VPN connection rates. You are billed
the connection rate for each hour that each VPN is connected to the virtual private gateway.
When you send data from one site to another using the AWS VPN CloudHub, there is no cost to
send data from your site to the virtual private gateway. You only pay standard AWS data
transfer rates for data that is relayed from the virtual private gateway to your endpoint. For
example, if you have a site in Los Angeles and a second site in New York and both sites have a
VPN connection to the virtual private gateway, you pay $.05 per hour for each VPN connection
(for a total of $.10 per hour). You also pay the standard AWS data transfer rates for all data
that you send from Los Angeles to New York (and vice versa) that traverses each VPN
connection; network traffic sent over the VPN connection to the virtual private gateway is
free but network traffic sent over the VPN connection from the virtual private gateway to the
endpoint is billed at the standard AWS data transfer rate. For more information, see VPN Connection Pricing.